Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services.
The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical report published Wednesday.
Assessed to be active as far back as June 2023, GoldFactory first gained attention early last year, when the Singapore-headquartered cybersecurity company detailed the threat actor’s use of custom malware families like GoldPickaxe, GoldDigger, and GoldDiggerPlus targeting both Android and iOS devices.
Evidence points to GoldFactory being a well-organized Chinese-speaking cybercrime group with close connections to Gigabud, another Android malware that was spotted in mid-2023. Despite major disparities in their codebases, both GoldDigger and Gigabud have been found to share similarities in their impersonation targets and landing pages.
The first cases in the latest attack wave were detected in Thailand, with the threat subsequently appearing in Vietnam by late 2024 and early 2025 and in Indonesia from mid-2025 onwards.
Group-IB said it has identified more than 300 unique samples of modified banking applications that have led to almost 2,200 infections in Indonesia. Further investigation has uncovered over 3,000 artifacts that it said led to no less than 11,000 infections. About 63% of the altered banking apps cater to the Indonesian market.
The infection chains, in a nutshell, involve the impersonation of government entities and trusted local brands and approaching prospective targets over the phone to trick them into installing malware by instructing them to click on a link sent on messaging apps like Zalo.
In at least one case documented by Group-IB, fraudsters posed as Vietnam’s public power company EVN and urged victims to pay overdue electricity bills or risk facing immediate suspension of the service. During the call, the threat actors are said to have asked the victims to add them on Zalo so as to receive a link to download an app and link their accounts.
The links redirect the victims to fake landing pages that masquerade as Google Play Store app listings, resulting in the deployment of a remote access trojan like Gigabud, MMRat, or Remo, which surfaced earlier this year using the same tactics as GoldFactory. These droppers then pave the way for the main payload that abuses Android’s accessibility services to facilitate remote control.
“The malware […] is based on the original mobile banking applications,” researchers Andrey Polovinkin, Sharmine Low, Ha Thi Thu Nguyen, and Pavel Naumov said. “It operates by injecting malicious code into only a portion of the application, allowing the original application to retain its normal functionality. The functionality of injected malicious modules can differ from one target to another, but mainly it bypasses the original application’s security features.”
Specifically, it works by hooking into the application’s logic to execute the malware. Three different malware families have been discovered based on the frameworks used in the modified applications to perform runtime hooking: FriHook, SkyHook, and PineHook. Regardless of these differences, the functionality of the modules overlaps, making it possible to –
- Hide the list of applications that have accessibility services enabled
- Prevent screencast detection
- Spoof the signature of an Android application
- Hide the installation source
- Implement custom integrity token providers, and
- Obtain the victims’ balance account
While SkyHook makes use of the publicly available Dobby framework to execute the hooks, FriHook employs a Frida gadget that’s injected into the legitimate banking application. PineHook, as the name implies, utilizes a Java-based hooking framework called Pine.
Group-IB said its analysis of the malicious infrastructure erected by GoldFactory also uncovered a pre-release testing build of a new Android malware variant dubbed Gigaflower that’s likely a successor to the Gigabud malware.
It supports around 48 commands to enable real-time screen and device activity streaming using WebRTC; weaponize accessibility services for keylogging, reading user interface content, and performing gestures; serve fake screens to mimic system updates, PIN prompts, and account registration to harvest personal information, and extract data from images associated with identification cards using a built-in text recognition algorithm.
Also currently in the works is a QR code scanner feature that attempts to read the QR code on Vietnamese identity cards, likely with the goal of simplifying the process of capturing the details.
Interestingly, GoldFactory appears to have ditched its bespoke iOS trojan in favor of an unusual approach that now instructs victims to borrow an Android device from a family member or relative to continue the process. It’s currently not clear what prompted the shift, but it’s believed that it’s due to stricter security measures and app store moderation on iOS.
“While earlier campaigns focused on exploiting KYC processes, recent activity shows direct patching of legitimate banking applications to commit fraud,” the researchers said. “The use of legitimate frameworks such as Frida, Dobby, and Pine to modify trusted banking applications demonstrates a sophisticated yet low-cost approach that allows cybercriminals to bypass traditional detection and rapidly scale their operation.”
